Industry Intel

It’s that time of the year! The moment when we reflect back on the cybercrime tactics, techniques and procedures (TTPs) that shaped 2013, in order to constructively speculate on what’s to come for 2014 in terms of fraudulent and malicious campaigns, orchestrated by opportunistic cybercriminal adversaries across the globe. Throughout 2013, we continued to observe and profile TTPs, which were crucial for the success, profitability and growth of the cybercrime ecosystem internationally, such as, for instance, widespread proliferation of the campaigns, professionalism and the implementation of basic business/economic/marketing concepts, improved QA (Quality Assurance), vertical integration in an attempt to occupy market share across multiple verticals,  as well as the re-emergence of known, and well proven cybercrime-friendly concepts like standardization and DIY (do-it-yourself) type of propositions.

Eager to learn more? Keep reading!

read more…

The over-hyped market valuation of the buzzing P2P E-currency, Bitcoin, quickly gained the attention of cybercriminals internationally who promptly adapted to its sky rocketing valuation by releasing commercially available stealth Bitcoin miners, Bitcoin wallet stealing malware, as well as actually starting to offer the source code for their releases in an attempt to monetize their know-how and expertise in this area. Throughout 2013, we profiled several subscription based stealth Bitcoin mining tools, and predicted that it’s only a matter of time before this still developing market segment starts proliferating with more cybercriminals offering their stealth Bitcoin releases to prospective customers. Not only are we continuing to see an increase in terms of the number of tools offered, but also, some cybercriminals are actually starting to offer the source code for their releases, which, as we’ve seen in the past, has resulted in an increase in ‘vallue-added’ releases on behalf of fellow cybercriminals implementing features based on their perceived value, or through interaction with prospective customers.

What are cybercriminals up to in terms of stealth Bitcoin miners these days? Let’s profile several of the (international) underground market share leading commercially available stealth Bitcoin miners, emphasize on their features, as well as just how easy it is to fraudulently mine Bitcoin/Litecoin these days, with the affected user never really knowing what’s taking place on their PC.

read more…

Top 5 Enterprise Threat Predictions for 2014

• Ransomware for the enterprise
• Compromised clouds
• Advanced mobile phishing tactics
• APT’s focus on mobile
• Mobile device linked to major compromise

When thinking about cyber-security and looking back over the years, there is a clear and unfortunate trend which doesn’t show any signs of slowing. The trend is that year over year, more and more cyber-attacks occur while at the same time, the sophistication of attacks continues to evolve. Additionally, a matured cyber-crime as a service (CCaaS) ecosystem has enabled practically anyone to get involved. Combine this with the growing cost of defenses and the reality that many solutions are only somewhat effective and you can see that the feasibility of cyber-security is, well, getting farther and farther way.

Now, I could go into the various factors which are causing this losing battle, such as societies overwhelming desire to pick convenience over security, or the mentality that, ‘it will never happen to me;’ but I’ll save that for another blog. Instead, I’m going to consider the cyber-security events from the past few years and predict the top 5 threats enterprises are likely to face in 2014.

First, I should note that these predictions are not ordered or ranked in any way, they are simply 5 enterprise focused security events you will likely read about next year along with my supporting reasons for the prediction. So let’s get started!

Prediction # 1 – Ransomware for the enterprise
Early in 2013, a new type of ransomware, self-named Cryptolocker, was discovered which included a few very significant and very frightening changes. Unlike older ransomware, which would store the decryption key within the executing binary, Cryptolocker stores the encryption key in their C&C server network and with each new infection, a new key is used. This makes it next to impossible to decrypt files modified by the infection. The other big change is that Cryptolocker doesn’t give you a lot of time to pay the ransom, often around $300, with only 72 hours to comply before the decryption key is destroyed. These tactics have made Cryptolocker the most advanced and most aggressive ransomware discovered to date, however Cryptolocker’s focus remains primarily on individual users which is evident by the distribution tactic of spam email.

Based on Cryptolocker’s tactical advancements and success, it is only a matter of time before an enterprise becomes the target of a similar form of attack. Many people are gladly handing over $300 to regain access to their personal files, imagine what an enterprise would pay to restore its data. My guess is at least, in my best Dr. Evil voice, 1 million dollars!

Prediction # 2 – Compromised clouds
While cloud infrastructure has been around for a while, 2013 saw very widespread adoption as companies looked to save money and to run more efficiently. While the cloud has a number of benefits, additional security isn’t always one of them and not are all clouds are equal. In cases where companies are opting for public cloud infrastructure, they trust the security measures put in place by the cloud hosting service. This basically extends the attackable surface, increases vectors for attack and reduces the overall control a business has to prevent an attack. Of course, there is the option for a private cloud, but for most this option is too expensive and/or overkill for their needs.

As utilizing cloud services becomes the new norm, it will also become a more ideal target for cyber-crime and attack. Consider, if you successfully compromise a cloud hosting provider, you likely gain access to all data within which would include that of dozens if not hundreds or even thousands of companies.

Prediction # 3 – Advanced mobile phishing tactics
Phishing isn’t new by any means, however the utilization of this attack vector continues to grow at record pace while the tactics used continue to evolve. In 2013 we saw new innovative attacks involving the human experience, either over the phone or in person. Waterhole attacks which identify and compromise websites likely to be visited by the primary target. And mobile attacks ranging from phishing SMS messages to rogue and misleading advertisements. Then, of course, there is the mass of phishing spam email contrasted by the ultra-precise spear-phishing attack. The trouble is, phishing attacks are so effective because they pay especially close attention to the human experience and our desire to trust someone we know. When aimed at an enterprise, all an attacker has to accomplish is tricking one individual and research has shown it only takes about 15 targets for this to be guaranteed.

But what about mobile? As today’s workforce continues to shift to mobile devices and platforms, so will the tactics used by attackers. Mobile is a ripe target for attack as the user experience is focused on convenience over security. Combine this with the one touch access and lack of authentication and it is easy to see why I predict new advanced phishing tactics aimed at compromising mobile devices.

Prediction # 4 – APT’s focus on mobile
2013 saw a massive migration to smartphones and mobile OS’s as well as widespread adoption of BYOD; and the cyber-crime community definitely took notice. This past year, Webroot’s mobile research team discovered over 1 million malicious Android apps which is over 1000% growth from the previous year. But compromising a mobile device doesn’t have to start with an app. We’ve seen recent website hacks only modify pages for mobile devices, a tactic avoid detection, but also evidence that mobile is becoming a primary focus. Additionally, there have been numerous new mobile related services popping up in underground markets. Services range from SMS flooding, malicious app creation, mobile botnet building tools and even, and most disturbing, trusted developer credentials which can be used to post apps to major app markets like Google Play.

Because mobile devices contain so much information and very little security or authentication, they will increasingly be the focus for attacks. When considering the planning that goes into today’s APT backed attack, it only makes sense that highly organized cyber-crime gangs and/or state launched attacks will target mobile devices as part of their future attacks.

Prediction # 5 –Mobile device linked to major compromise
My final prediction again relates to mobile, and the reasons are largely expressed in the previous two predictions. There is a clear trend for the adoption of personal mobile devices in the workplace but it isn’t being matched with employee education, policy or security. The reality is that BYOD can be done correctly when four key areas are secured. These are app protection, web protection, data protection and device protection. By securing these areas, personal devices can be used for personal use and also safe to connect to the corporate network.
The trouble however, is that most enterprises are allowing BYOD without proper planning, education or policy in place. This lack of regulation combined with lacking security features for mobile devices will eventually lead to a major compromise.

So, what can your company do to stop these threats? Well, employee education to drive awareness of the types of attacks and their consequences is a good first step. Security solutions have also advanced with better threat awareness, and in Webroot’s case, are harvesting the power of crowds in the cloud to rapidly identify the newest threats. For more information, feel free to shoot me an email at gmilbourne@webroot.com or visit our website at http://www.webroot.com/.

WhatsApp users, watch what you click on! A currently circulating fraudulent spam campaign is brand-jacking WhatsApp in an attempt to trick its users into clicking on links found in the email. Once socially engineered users fall victim to the scam, they’re automatically exposed to a fraudulent pharmaceutical site, offering them pseudo bargain deals. Let’s assess the fraudulent campaign, and expose the fraudulent infrastructure supporting it.

read more…

In need of a fresh example that malicious and fraudulent adversaries continue professionalizing, and standardizing demanded cybercrime-friendly products and services, all for the sake of monetizing their experience and expertise in the profitable world of cybercrime? Publicly launched around the middle of 2013, a product/training course targeting novice cybercriminals is offering them a manual, recommendations for open source/free software, as well as access to a private forum set up for customers only, enlightening them to everything a cybercriminals needs to know in order to stay secure and anonymous online. The standardized OPSEC offering is targeting novice cybercriminals, and also has an interesting discount based system, offering $10 discounts for every feedback from those who’ve already taken the course.

read more…

In a series of blog posts throughout 2013, we emphasized on the lowering of the entry barriers into the world of cybercrime, largely made possible by the rise of managed services, the re-emergence of the DIY (do-it-yourself) trend, and the development of niche market segments, like the practice of setting up and offering bulletproof hosting for a novice cybercriminal’s botnet generating platform. The proliferation of these easy to use, once only found in the arsenal of tools of the sophisticated cybercriminals, tools, is the direct result of cybercrime ecosystem leaks, cracked/pirated versions, or a community-centered approach applied by their authors, who sometimes rely on basic ‘freemium’ marketing models, namely, offering a free and paid/licensed version of their cybercrime-friendly tools.

Not surprisingly, we continue to observe the development of the niche market segment targeting novice cybercriminals, empowering them with botnet setting up services, as well as bulletproof hosting for their command and control infrastructure. In this post, I’ll discuss yet another such cybercrime ecosystem market proposition, that’s differentiating its unique value propositions (UVP) by vertically integrating — offering binding of Bitcoin miners and malware crypting services — as well as offering the option to set up a dozen of well known IRC/HTTP based botnet generating tools.

read more…

The most recent and interesting threats we see are more or less “evolved” forms of previous threats, including those originating from the PC side. People have been “spoofing” parts of apps, such as code, appearance, or digital certificates, since Android malware first started appearing. The MasterKey exploit was a whole new way to modify the app without even having to spoof anything (since this was the exploit which allowed applications to be changed without invalidating the existing digital signature). It’s also very interesting to see how threats like Zitmo or RAT-type apps seem to get better and better at mirroring the PC versions of those threats.

For instance, Zitmo (Zeus in the mobile) seems to always come from the same template, afterwards customized to mimic various authentication or banking apps, similar to the PC version. In general, what are most interesting are those threats which appear to be getting better and better at these techniques considered mainstays of PC malware. We don’t expect to stop seeing these types of developments in many of the different threats seen around the Android landscape.

Our top 5 predictions:

• More PC-side infections ported to Android, especially Ransomware
• Increasingly-sophisticated obfuscation techniques
• Increasingly-sophisticated packing techniques
• Greater focus on social engineering within Android malware
• At least one new exploit similar to the level/severity of MasterKey

Stay protected!
There are many ways to change your habits and use security software to help prevent catching a bug on your Android device. When downloading apps, know where you are getting them from. Though not foolproof, the Google Play Store is still, by far, the safest place to get apps for your Android devices.

Use Android security software to protect your devices, such as Webroot SecureAnywhere. There are many other apps which will provide additional help identifying various risky behaviors, settings, or software on your phone as well. Furthermore, the Android operating system gets more secure and informative every day, allowing users to better understand the permissions and risks behind their apps.

Lastly, keep up on the latest Android news! It’s super easy with all the great news outlets, blogs, and Twitter feeds out there. If it’s hot, new, or just plain interesting, you can count on many tech news outlets, including the Webroot Threat Blog, to post or comment about it.

Next to the ubiquitous for the cybercrime ecosystem, traffic acquisition tactics such as, blackhat SEO (search engine optimization), malvertising, embedded/injected redirectors/doorways on legitimate Web sites, establishing purely malicious infrastructure, and social engineering driven spam campaigns, cybercriminals are also masters of utilizing social media for the purpose of attracting traffic to their fraudulent/malicious campaigns. From the efficient abuse of Craigslist, the systematic generation of rogue/bogus/fake Instagram, YouTube, and email accounts, the process of automatic account generation continues to take place, driving a cybercriminal’s fraudulent business model, naturally, setting up the foundations for upcoming malicious campaigns that could materialize at any point in time.

In this post, I’ll discuss a commercially available automatic account registration tool that’s successfully targeting Tumblr, emphasize on its core features, and discuss tactics through which its users could abuse access to these automatically registered accounts.

read more…

With social media, now an inseparable part of the marketing expenditures for every modern organization, cybercriminals quickly adapted to the ongoing buzz, and over the last couple of years, have been persistently supplying the market segment with social media metrics performance boosts, in the the form of bogus likes, dislikes, comments, favorites, subscribers, and video/music plays. This process, largely made possible by the massively undermined CAPTCHA bot vs human verification practice, results in automatically registered accounts, or the persistent data mining of malware-infected hosts for accounting data for social media accounts, continues to scale, allowing both individuals and organizations to superficially boost their social media reputation. In this post, I’ll discuss a recently sampled such service, offering an unlimited number of likes, dislikes, comments, favorites, subscribers and video/music plays, that’s either monetizing automatically registered accounts, compromised legitimate accounts, or what we believe they’re doing, a mix of both in an attempt to meet the demand for their services.

read more…

Ever since we exposed and profiled the evasive, multi-hop, mass iframe campaign that affected thousands of Web sites in November, we continued to monitor it, believing that the cybercriminal(s) behind it, would continue operating it, basically switching to new infrastructure once the one exposed in the post got logically blacklisted, thereby undermining the impact of the campaign internationally. Not surprisingly, we were right. The campaign is not only still proliferating, but the adversaries behind it have also (logically) switched the actual hosting infrastructure. Let’s dissect the currently active malicious iframe campaign that continues to serving a cocktail of (patched) client-side exploits, to users visiting legitimate Web sites.

read more…